Constructing deterministic finite automata by reconfigurable means for solving information security tasks

Authors

  • Сергій Якович Гільгурт Pukhov Institute for Modelling in Energy Engineering of NAS of Ukraine

DOI:

https://doi.org/10.18372/2410-7840.21.13768

Keywords:

information security, multi-pattern string matching, FPGA, finite automaton, Aho-Corasick algorithm, efficiency

Abstract

Computer security requires the implementation of different measures - organizational, technical, cryptographic, etc. Network intrusion detection systems, antiviruses and other similar tools of technical protection based on signatures should solve in real time the computationally complex multi-pattern string matching task, which is a specific type of string matching functionality performed in DPI systems to search an input stream for a set of patterns rather than a single pattern. Due to rising traffic rates, increasing number and sophistication of attacks and the collapse of Moore's law for sequential processing, traditional software solutions can no longer meet the high requirements of today’s security challenges. Therefore, hardware approaches are proposed to accelerate pattern matching. Combining the flexibility of software and the near-ASIC performance, reconfigurable hardware devices based on Field Programmable Gate Arrays (FPGA) have become increasingly popular for this purpose. There are three main approaches to fulfill the computation-intensive multi-pattern string matching task using FPGA. The techniques of these approaches are: content addressable memory, Bloom filter and Aho-Corasick Algorithm. Each approach has its advantages and disadvantages. Effective construction of more and more complex signature-based tools of technical secure protection is impossible without a comprehensive analysis of the properties and specific features of every approach. In this study, in order to improve the efficiency of information security tools created on the basis of the FPGA, the main features of the third of the listed approaches are analyzed. Based on the analysis of the stateof-the-art finite automata realizing Aho-Corasick algorithm, the specialty of their implementation on FPGAs, encountering problems and ways to solve them are also investigated.

Author Biography

Сергій Якович Гільгурт, Pukhov Institute for Modelling in Energy Engineering of NAS of Ukraine

Candidate of Technical Sciences, Senior Researcher, Senior Researcher of Department of Modelling Theory, Pukhov Institute for Modelling in Energy Engineering of NAS of Ukraine

References

С. Гильгурт, "Реконфигурируемые вычислители. Аналитический обзор", Электронное моделирование, 2013.

С. Гильгурт, "Применение реконфигурируемых вычислителей для аппаратного ускорения сигна-турных систем защиты информации", Моделю-вання-2018, Київ, 2018: Інститут проблем моде-лювання в енергетиці ім. Г.Є. Пухова НАН України, С. 107-110.

С. Гільгурт, "Побудова асоціативної пам'яті на цифрових компараторах реконфігуровними за-собами для вирішення задач інформаційної без-пеки", Электронное моделирование, Т. 41, № 3, С. 59-80, 2019.

С. Гільгурт, "Побудова фільтрів Блума ре-конфігуровними засобами для вирішення задач інформаційної безпеки", Безпека інформації, Т. 35, № 1, С. 53-58, 2019.

К. Самофалов, А. Ромлинкевич, В. Валуйский, Ю. Каневский, М. Пиневич, Прикладная теория цифровых автоматов. Київ: Вища шк. Головное изд-во, 1987.

R. Keller, Computer Science: Abstraction to Implementation. Harvey Mudd College, 2001, p. 630.

B. Smyth, Computing Patterns in Strings. Essex: Pear-son Addison Wesley, 2003, 496 с.

A. Aho, M. Corasick, "Efficient String Matching: An Aid to Bibliographic Search", Communications of the ACM, vol. 18, no. 6, pp. 333-340, 1975.

W. Jiang, Y. Yang, V. Prasanna, "Scalable multi-pipeline architecture for high performance multi-pattern string matching", 24th IEEE International Parallel and Distributed Processing Symposium, IPDPS 2010, Atlanta, GA, 2010.

T. Song, W. Zhang, D. Wang, Y. Xue, "A memory efficient multiple pattern matching architecture for network security", 27th Ieee Conference on Computer Communications (Infocom), Vols 1-5, Proceedings Paper pp. 673-681, 2008.

C. Lin, Y. Tai, S. Chang, "Optimization of pattern matching algorithm for memory based architecture C3", ANCS'07. Proceedings of the 2007 ACM Symposium on Architecture for Networking and Communications, 3rd ACM/IEEE Symposium on Ar-chitectures for Networking and Communications Systems, ANCS 2007, Orlando, FL, pp. 11-16, 2007.

C. Lin, S. Chang, "Efficient Pattern Matching Algo-rithm for Memory Architecture", Ieee Transactions on Very Large Scale Integration (Vlsi) Systems, Article vol. 19, no. 1, pp. 33-41, Jan 2011.

Q. Wang, V. Prasanna, I. Soc, "Multi-Core Archi-tecture on FPGA for Large Dictionary String Matching", Proceedings of the 2009 17th Ieee Symposium on Field Programmable Custom Computing Machines, Pro-ceedings Paper, pp. 96-103, 2009.

J. Lunteren, "High-performance pattern-matching for intrusion detection", 25th Ieee International Confer-ence on Computer Communications, Vol. 1-7, Proceedings Ieee Infocom 2006, Proceedings Paper pp. 1409-1421, 2006.

H. Lu, K. Zheng, B. Liu, X. Zhang, Y. Liu, "A memory-efficient parallel string matching architec-ture for high-speed intrusion detection", Ieee Journal on Selected Areas in Communications, Article vol. 24, no. 10, pp. 1793-1804, Oct 2006.

L. Tan, T. Sherwood, I. Soc, "A high throughput string matching architecture for intrusion detection and prevention", 32nd International Symposium on Com-puter Architecture, Madison, WI, Jun 04-08 2005, LOS ALAMITOS: Ieee Computer Soc, in Confer-ence Proceedings Annual International Symposium on Computer Architecture, pp. 112-122, 2005.

P. Piyachon, Y. Luo, "Efficient memory utilization on network processors for deep packet inspec-tion", 2nd ACM/IEEE Symposium on Architectures for Networking and Communications Systems, ANCS 2006, San Jose, CA, pp. 71-80, 2006.

K. Huang, D. Zhang, "A Byte-Filtered String Matching Algorithm for Fast Deep Packet Inspec-tion", Proceedings of the 9th International Confer-ence for Young Computer Scientists, Vols 1-5, Proceedings Paper, pp. 2073-2078, 2008.

H. Jung, Z. Baker, V. Prasanna, "Performance of FPGA implementation of bit-split architecture for intrusion detection systems", 20th IEEE International Parallel and Distributed Processing Symposium, IPDPS 2006, 2006, vol. 2006: IEEE Computer Society.

D. Pao, W. Lin, B. Liu, "Pipelined architecture for multi-string matching," IEEE Computer Architecture Letters, vol. 7, no. 2, pp. 33-36, 2008.

Downloads

Published

2019-06-27

Issue

Vol. 21 No. 2 (2019)

Section

Articles

License

Authors who publish with this journal agree to the following terms:

  1. Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.

  2. Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.

  3. Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).